|
| 1 | +--- |
| 2 | +layout: blog |
| 3 | +title: "Kubernetes 1.29: CSI Storage Resizing Authenticated and Generally Available in v1.29" |
| 4 | +date: 2023-12-15 |
| 5 | +slug: csi-node-expand-secret-support-ga |
| 6 | +--- |
| 7 | +**Authors:** Humble Chirammal (Vmware), Louis Koo (deeproute.ai) |
| 8 | + |
| 9 | +Kubernetes version v1.29 brings generally available support for authentication |
| 10 | +during CSI (Container Storage Interface) storage resize operations. |
| 11 | + |
| 12 | +Let's embark on the evolution of this feature, initially introduced in alpha in |
| 13 | +Kubernetes v1.25, and unravel the changes accompanying its transition to GA. |
| 14 | + |
| 15 | +## Authenticated CSI storage resizing unveiled |
| 16 | + |
| 17 | +Kubernetes harnesses the capabilities of CSI to seamlessly integrate with third-party |
| 18 | +storage systems, empowering your cluster to seamlessly expand storage volumes |
| 19 | +managed by the CSI driver. The recent elevation of authentication secret support |
| 20 | +for resizes from Beta to GA ushers in new horizons, enabling volume expansion in |
| 21 | +scenarios where the underlying storage operation demands credentials for backend |
| 22 | +cluster operations – such as accessing a SAN/NAS fabric. This enhancement addresses |
| 23 | +a critical limitation for CSI drivers, allowing volume expansion at the node level, |
| 24 | +especially in cases necessitating authentication for resize operations. |
| 25 | + |
| 26 | +The challenges extend beyond node-level expansion. Within the Special Interest |
| 27 | +Group (SIG) Storage, use cases have surfaced, including scenarios where the |
| 28 | +CSI driver needs to validate the actual size of backend block storage before |
| 29 | +initiating a node-level filesystem expand operation. This validation prevents |
| 30 | +false positive returns from the backend storage cluster during file system expansion. |
| 31 | +Additionally, for PersistentVolumes representing encrypted block storage (e.g., using LUKS), |
| 32 | +a passphrase is mandated to expand the device and grow the filesystem, underscoring |
| 33 | +the necessity for authenticated resizing. |
| 34 | + |
| 35 | +## What's new for Kubernetes v1.29 |
| 36 | +With the graduation to GA, the feature remains enabled by default. Support for |
| 37 | +node-level volume expansion secrets has been seamlessly integrated into the CSI |
| 38 | +external-provisioner sidecar controller. To take advantage, ensure your external |
| 39 | +CSI storage provisioner sidecar controller is operating at v3.3.0 or above. |
| 40 | + |
| 41 | +## Navigating Authenticated CSI Storage Resizing |
| 42 | +Assuming all requisite components, including the CSI driver, are deployed and operational |
| 43 | +on your cluster, and you have a CSI driver supporting resizing, you can initiate a |
| 44 | +`NodeExpand` operation on a CSI volume. Credentials for the CSI `NodeExpand` operation |
| 45 | +can be conveniently provided as a Kubernetes Secret, specifying the Secret via the |
| 46 | +StorageClass. Here's an illustrative manifest for a Secret holding credentials: |
| 47 | + |
| 48 | +```yaml |
| 49 | +--- |
| 50 | +apiVersion: v1 |
| 51 | +kind: Secret |
| 52 | +metadata: |
| 53 | + name: test-secret |
| 54 | + namespace: default |
| 55 | +data: |
| 56 | + stringData: |
| 57 | + username: admin |
| 58 | + password: t0p-Secret |
| 59 | +``` |
| 60 | +And here's an example manifest for a StorageClass referencing those credentials: |
| 61 | +
|
| 62 | +```yaml |
| 63 | +--- |
| 64 | +apiVersion: storage.k8s.io/v1 |
| 65 | +kind: StorageClass |
| 66 | +metadata: |
| 67 | + name: csi-blockstorage-sc |
| 68 | +parameters: |
| 69 | + csi.storage.k8s.io/node-expand-secret-name: test-secret |
| 70 | + csi.storage.k8s.io/node-expand-secret-namespace: default |
| 71 | +provisioner: blockstorage.cloudprovider.example |
| 72 | +reclaimPolicy: Delete |
| 73 | +volumeBindingMode: Immediate |
| 74 | +allowVolumeExpansion: true |
| 75 | +``` |
| 76 | +
|
| 77 | +Upon successful creation of the PersistentVolumeClaim (PVC), you can verify the |
| 78 | +configuration within the .spec.csi field of the PersistentVolume. To confirm, |
| 79 | +execute `kubectl get persistentvolume <pv_name> -o yaml`. |
| 80 | + |
| 81 | +## Engage with the Evolution! |
| 82 | +For those enthusiastic about contributing or delving deeper into the technical |
| 83 | +intricacies, the enhancement proposal comprises exhaustive details about the |
| 84 | +feature's history and implementation. Explore the realms of StorageClass-based |
| 85 | +dynamic provisioning in Kubernetes by referring to the [storage class documentation] |
| 86 | +(https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class) |
| 87 | +and the overarching [PersistentVolumes](/docs/concepts/storage/persistent-volumes/) documentation. |
| 88 | + |
| 89 | +Join the Kubernetes Storage SIG (Special Interest Group) to actively participate |
| 90 | +in elevating this feature. Your insights are invaluable, and we eagerly anticipate |
| 91 | +welcoming more contributors to shape the future of Kubernetes storage! |
| 92 | + |
0 commit comments